Abstract: A method for managing a shared buffer between a data processing system and a network. The method provides a communication interface unit for managing bandwidth of data between the data processing system and an external communicating interface connecting to the network. The method performs, by the communication interface unit, a combined de-queue and head drop operation on at least one data packet queue within a predefined number of clock cycles. The method also performs, by the communication interface unit, an en-queue operation on the at least one data packet queue in parallel with the combined de-queue operation and head drop operation within the predefined number of clock cycles.

Abstract: A first access point is included in a first VLAN but not included in a second VLAN. The first access point is operatively coupled to a second access point that is included in the second VLAN but not included in the first VLAN. The second VLAN includes a multicast domain name system (mDNS) service that is not multicast to the first VLAN. The first access point is configured to receive an mDNS request for the mDNS service from a client device that is operatively coupled to the first VLAN. The first access point is configured to send, to the second access point, an encapsulated mDNS request that is based on the mDNS request from the client device such that a connection is established between the client device and a network device providing the mDNS service within the second VLAN.

Abstract: An apparatus includes a network management module to store a network configuration file. The network configuration file having a binding association with an identifier of a port from a plurality of ports of a switch fabric when the network management module is in a first configuration. The network management module selects the network configuration file based on the binding association with the identifier if the port in response to an access switch being operatively coupled to the port. The network configuration file having a binding association with an identifier of the access switch when the network management module is in a second configuration. The network management module selects the network configuration file based on the binding association with the identifier of the access switch in response to the access switch being operatively coupled to the port.

Abstract: In some embodiments, an apparatus includes a layer-2 device operably coupled to a source device and a destination device and disposed within a data path (1) between the source device and the destination device, and (2) includes at least one layer-3 device. The layer-2 device receives a first test data unit from the source device, and defines a quality datum associated with processing the first test data unit. The layer-2 device defines a second test data unit based on the first test data unit that includes the quality datum associated with processing the first test data unit. The layer-2 device sends the second test data unit to the layer-3 device. The layer-3 device defines a quality datum associated with processing the second test data unit at the layer-3 device and defines a third test data unit based on the second test data unit.

Abstract: Label Distribution Protocol (LDP) extensions are described that enable distribution of neighbor-label mappings for directly connected neighbor routers. A router capable of supporting the LDP extensions distributes neighbor-labels to be used by the router to label switch traffic destined for the directly connected neighbor router irrespective of a hop-by-hop Interior Gateway Protocol (IGP) path determined based on link metrics. In some examples, the neighbor-labels may increase backup coverage, e.g., link protection and/or node protection, in a network that, due to link metrics, does not have a viable loop-free alternate (LFA) path between an ingress router and an egress router of a label switched path (LSP). In other examples, the neighbor-labels may improve load balancing by enabling an ingress router in a first autonomous system (AS) to select a particular remote link on which to send traffic destined for remote routers in a second AS.

Abstract: In some embodiments, an apparatus includes a forwarding module that is configured to receive a group of first data packets. The forwarding module is configured to modify a data flow value in response to receiving each first data packet. The forwarding module is also configured to store each first data packet in a first output queue based on the data flow value not crossing a data flow threshold after being modified. Furthermore, the forwarding module is configured to receive a second data packet. The forwarding module is configured to modify the data flow value in response to receiving the second data packet, such that the data flow value crosses the data flow threshold. The forwarding module is configured to store the second data packet in a second output queue based on the data flow value having crossed the data flow threshold.

Abstract: In one embodiment, an apparatus includes a switching policy module configured to define a switching policy associating a Fibre Channel port with a destination Media Access Control (MAC) address. The switching module can be configured to receive a Fibre Channel over Ethernet (FCoE) frame from a network device and send a Fibre Channel frame encapsulated in the FCoE frame to the Fibre Channel port based at least in part on the switching policy and a destination MAC address of the FCoE frame.

Abstract: A data read/write system includes a system clock, a single port memory, a cache memory that is separate from the single port memory, and a controller coupled to an instruction pipeline. The controller receives, via the instruction pipeline, first data to write to an address of the single port memory, and further receives, via the instruction pipeline, a request to read second data from the single port memory. The controller stores the first data in the cache memory, and retrieves the second data from either the cache memory or the single port memory during one or more first clock cycles of the system clock. The controller copies the first data from the cache memory and stores the first data at the address in the single port memory during a second clock cycle of the system clock that is different than the one or more first clock cycles.

Abstract: In some embodiments, an apparatus includes an optical transceiver system that includes a set of optical transmitters and a backup optical transmitter. In such embodiments, each optical transmitter from the set of optical transmitter can transmit at a unique wavelength from a set of wavelengths. The backup optical transmitter can transmit at a wavelength from the set of wavelengths when an optical transmitter from the set of optical transmitters associated with that wavelength fails. In other embodiments, an apparatus includes an optical transceiver system that includes a set of optical receivers and a backup optical receiver. The backup optical receiver can receive at a wavelength from the set of wavelengths when an optical receiver from the set of optical receivers associated with that wavelength fails.

Abstract: In some embodiments, an apparatus comprises a core network node configured to be operatively coupled to a set of network nodes. The core network node is configured to receive a broadcast signal from a network node from the set of network nodes, which is originated from a host device operatively coupled to the network node. The broadcast signal is sent via a tunnel from the network node to the core network node, such that other network nodes that are not included in the tunnel do not receive the broadcast signal. The core network node is configured to retrieve control information associated with the broadcast signal without sending another broadcast signal, and then send the control information to the network node.

Abstract: A node is configured to receive, from a second node, a request to establish a session; perform, in response to the request, a network address translation (NAT) operation to establish the session, the NAT operation causing a first port block to be allocated to the session, the first port block including a first set of ports via which traffic, associated with the session, is transported; determine that the set of ports are no longer available for the session; determine whether a quantity of times that the first port block has been allocated to the session is greater than a threshold; and retain the first port block, for the session, when the quantity of times that the first port block has been allocated to the session is not greater than the threshold.

Abstract: A server device receives, from a member device, a registration request for a group virtual private network (VPN) and provides an initial firewall security policy for the group VPN. The server device receives instructions for a policy configuration change and sends, to the member device, a push message that includes dynamic policies to implement the policy configuration change. The dynamic policies are implemented as a subset of a template policy. The member device receives the push message with the dynamic policies, associates the dynamic policies with the template policy, and applies the initial security policy data and the dynamic policies to incoming traffic without the need for a reboot of the member device.

Abstract: A device is configured to receive a first request sent from a user device to a server. The first request may include a request to receive particular information from the server. The device receives a response to the first request sent from the server to the user device. The response includes the particular information. The device determines a potential request from the user device based on the particular information included in the response. The devices determines a policy associated with the potential request prior to a second request corresponding to the potential request being received. The device receives the second request from the user device. The device processes the second request based on the policy that was determined prior to the second request being received.

Abstract: A system provides congestion control and includes multiple queues that temporarily store data and a drop engine. The system associates a value with each of the queues, where each of the values relates to an amount of memory associated with the queue. The drop engine compares the value associated with a particular one of the queues to one or more programmable thresholds and selectively performs explicit congestion notification or packet dropping on data in the particular queue based on a result of the comparison.

Abstract: A security device may receive, from a client device, a request associated with a server device. The security device may determine a communication channel and contact information for validating the request. The security device may provide validation information via the communication channel using the contact information. The security device may receive a validation response from the client device, and may determine whether the validation response is valid. The security device may selectively perform a first action or a second action based on determining whether the validation response is valid. The first action may be performed based on determining that the validation response is valid, and may include providing a validation indicator, with the request, to the server device. The second action may be performed based on determining that the validation response is not valid, and may include providing an invalidation indicator, with the request, to the server device.

Abstract: A method and an apparatus for rapidly resuming, at times of failures, network traffic in a connection-oriented network by using an alternative route pre-computed and stored locally in nodes along an initial route without requiring signaling of upstream nodes or a master server.

Abstract: An apparatus may include a receiver configured to receive chunks of data on a downstream channel from a cable modem termination system. The receiver may be further configured to enter a low power state in which the chunks of data cannot be received. Wake up circuitry may be configured to monitor data in the downstream channel for a wake up signal when the receiver is in the low power state.

Abstract: In general, techniques are described for ensuring the distribution of Virtual Private Network (VPN) routes in a service provider network configured with multiple VPN services. In some examples, a network device receives configuration data that defines a VPN service associated with a route target. The network device, responsive to receiving the configuration data, sends a request for routes that match a type of the VPN service to a routing protocol speaker. The network device receives routes that match the type of the VPN service and are associated with the route target, installs the routes that match the type of the VPN service and are associated with the route target to the routing information base. The network device forwards traffic for the VPN service in accordance with the installed routes.

Abstract: A system and method for detecting malware optimized for mobile platforms. The system and method compares hashed portions of one or more malware signatures to hashes hashed from a suspect application, to determine whether the suspect application is malware-free. A second stage robust hash and splatter set of pseudorandomly selected blocks of the malware signatures reduce false positives allowing for improved detection of malware.

Abstract: In general, this disclosure describes a high-level forwarding path description language (FPDL) for describing internal forwarding paths within a network device. The FPDL enables developers to create a template that describes a section of an internal forwarding path within the forwarding plane of a network device. The FPDL provides syntactical elements for specifying the allocation of forwarding path structures as well as enabling the run-time construction of internal forwarding paths to interconnect the forwarding path structures in a manner specific to packet, packet flow, and/or interface properties, for example. In conjunction with late binding techniques, whereby the control plane of the network device provides arguments to template parameters that drive allocation by the packet forwarding engines of forwarding path structures specified by the FPDL, the techniques provide control plane processes a unified interface with which to manage the operation of the packet forwarding engines.